Hot on the heels of yesterday's release of
stackage-upload, I'm happy to announce the release of stackage-install.
This tool was actually not something we'd planned on writing, but
Greg Weber came up with the idea for this addition, so I went ahead
with it. What's exciting is that- combined with stackage-update-
users of Haskell packages now have a simple workflow that ensures
all packages are downloaded over a secure connection.
As with stackage-upload, I've copied below the content of the
README file; if you see errors please send
a pull request to update the content. This tool is pretty
simple right now, but can be easily extended. If others are
interested in collaborating on this project, please be in
stackage-install provides a wrapper around the
cabal install command, which will download packages
more securely. Initially, this means downloading over an HTTPS
connection from FP Complete's Amazon S3 mirror of Hackage, though
more hardening is planned for the future (see future improvements
To install, simply run
cabal update && cabal install
stackage-install. Usage is intended to overlap well with
cabal install. Whenever you would have run
install foo, you can now run
stk install foo with stackage-cli installed),
which will perform the following steps:
cabal fetch --dry-run ... to get cabal's build
- Download the relevant packages from S3, and place them in the
cabal install ...
If you have a modified
remote-repo in your
~/.cabal/config file, this tool will not provide proper hardening.
Most users do not modify their remote-repo, so this shouldn't be an
issue most of the time.
There are some combinations of
arguments which may not translate well to this tool. One known
issue is that passing
--dry-run is not supported, but
others may apply as well.
This tool necessarily has to call
twice, once to calculate the dependencies, and then to install
them. It's theoretically possible that
could come up with different build plans between the two calls, in
which case the second call may download some packages insecurely.
I've opened cabal issue
#2566 about disabling downloading in cabal.
Why not fix cabal?
Hopefully cabal will get fixed soon, the
discussion has already started. It's unfortunately unclear how
long that discussion will take, and I received a specific request
to write this tool. Since it's a small amount of code, I went ahead
with this as an interim solution.
That said, some of the future enhancements discussed below are
not planned for cabal, in which case this tool will continue to
remain relevant for people looking for additional security beyond
See the same
question and its answer on stackage-update.
- Check hashes of all packages downloaded against a collection of
- Verify signatures from authors against the signature
Do you like this blog post and need help with DevOps, Rust or functional programming? Contact us.